umask

umask does not work by simple subtraction — it uses a bitwise AND NOT operation. For each bit position, if the corresponding bit is set in the umask, that permission bit is cleared from the result.

actual permissions = base permissions AND NOT umask

The base for files is 666 (rw-rw-rw-) and for directories is 777 (rwxrwxrwx). With the commonly used umask 022, the calculation looks like this:

# For files
  666  (rw-rw-rw-)
- 022  (----w--w-)   ← umask (bit removal, not subtraction)
-----
  644  (rw-r--r--)   ← actual permissions

# For directories
  777  (rwxrwxrwx)
- 022  (----w--w-)
-----
  755  (rwxr-xr-x)

The reason the base for files is 666 and not 777 is to prevent the execute bit (x) from being set on new files by default. This avoids accidentally making text files or config files executable. To make a script executable, you explicitly run chmod +x after creating it.

Running umask without arguments displays the current value.

umask
0022

Passing a number as an argument sets the umask to that value. The change is only effective for the current shell session.

umask 077

Confirm the change.

umask
0077

umask -S displays the permissions that are allowed in symbolic (rwx) form. This is easier to read intuitively than the numeric form.

umask 022
umask -S
u=rwx,g=rx,o=rx

With umask 077, all group and other permissions are removed, giving the following result.

umask 077
umask -S
u=rwx,g=,o=

You can also pass a symbolic expression directly to umask.

umask u=rwx,g=rx,o=rx

Check the current umask, create a file and directory, then verify their permissions.

umask
0022
touch cursed_objects.txt
mkdir mission_briefing
ls -l
-rw-r--r--  1 gojo  staff    0 Apr  9 21:00 cursed_objects.txt
drwxr-xr-x  2 gojo  staff   64 Apr  9 21:00 mission_briefing

After switching to umask 077, newly created files and directories are accessible only by the owner.

umask 077
umask
0077
touch technique_archive.dat
mkdir barrier_config
ls -l
-rw-------  1 gojo  staff    0 Apr  9 21:01 technique_archive.dat
drwx------  2 gojo  staff   64 Apr  9 21:01 barrier_config

A script that sets the umask and verifies the result, equivalent to a persistent configuration via .bashrc.

barrier_config.sh

#!/bin/bash
# umask configuration and verification script

# Restrict access to owner only (for sensitive files)
umask 077

echo "Current umask: $(umask)"
echo "Symbolic display: $(umask -S)"

# Create files and directories, then check permissions
touch technique_archive.dat
mkdir -p barrier_config/restricted

echo "--- Permissions after creation ---"
ls -ld technique_archive.dat barrier_config/restricted

Run the following command:

bash barrier_config.sh
Current umask: 0077
Symbolic display: u=rwx,g=,o=
--- Permissions after creation ---
-rw-------  1 gojo  staff   0 Apr  9 21:02 technique_archive.dat
drwx------  2 gojo  staff  64 Apr  9 21:02 barrier_config/restricted

umask is tied to the shell process. A change is only effective for the current shell session and is not inherited by newly started shells or other terminals. To make it persistent, add it to ~/.bashrc or ~/.profile.

~/.bashrc

# Add to ~/.bashrc or ~/.profile
umask 022

~/.profile or ~/.bash_profile is read by login shells, while ~/.bashrc is read by interactive shells. A common approach for applying the setting in both cases is to define it in ~/.bashrc and have ~/.bash_profile source ~/.bashrc.

The system-wide default umask is configured in /etc/profile or via the UMASK variable in /etc/login.defs. A value of 022 is common for general users, while 077 is often used for service accounts that handle sensitive data.

Common Mistake 1: umask Uses Bitwise AND NOT, Not Subtraction

The idea that "666 minus 022 equals 644" happens to produce the correct result in that specific case, but it is not how umask actually works. umask uses bitwise AND NOT. Here is an example where subtraction gives the wrong answer.

Take umask 033 as an example. Subtraction would give 666 − 033 = 633, but the actual result is 644.

umask 033
touch cursed_objects.txt
ls -l cursed_objects.txt
-rw-r--r--  1 gojo  staff  0 Apr  9 21:03 cursed_objects.txt

Expanding each octal digit into binary to verify:

  110 110 110   (666 in binary)
AND NOT
  000 011 011   (033 in binary)
= 110 100 100 = 644

Subtraction gives 633, but the actual result is 644. The confusion arises because when there is no bit overlap between the umask and the base permissions (as with 022), both methods happen to yield the same answer.

Common Mistake 2: Security Risk of umask 000

Setting umask 000 means newly created files get permissions 666 (rw-rw-rw-) and directories get 777 (rwxrwxrwx). Every user on the system can read and write those files, and traverse or modify those directories.

umask 000
umask
0000
touch mission_briefing.txt
mkdir cursed_archive
ls -l
-rw-rw-rw-  1 gojo  staff    0 Apr  9 21:04 mission_briefing.txt
drwxrwxrwx  2 gojo  staff   64 Apr  9 21:04 cursed_archive

With umask 000 active, any other user on the same server can overwrite files or delete files inside the directories. When a script temporarily changes the umask, restoring the original value at the end keeps the rest of the shell session unaffected.

#!/bin/bash
# Save the current umask, change it, then restore after the operation

OLD_UMASK=$(umask)
umask 000

# Create a shared file that everyone can read and write
touch /tmp/shared_mission_briefing.txt

# Restore the original umask
umask "$OLD_UMASK"

echo "umask restored to ${OLD_UMASK}"